Azure sql database tls - azure-sql-database

How do I disable TLS versions prior to 1.2 on Azure SQL database.
I know that Azure SQL database always uses encrypted connections and supports TLS 1.2, but I want to disable previous versions of TLS.

UPDATE: As of today, SQL Azure does support a model to enforce TLS 1.2+. Announcement is here:
https://azure.microsoft.com/en-us/updates/sqldb-minimal-tls-version/

Related

Check TLS1.2 for SQL Server Connection

I want to check if the connection between my application and SQL Server is used TLS1.2.
I disabled TLS1.2 but the connection still happened. I checked via wireshark and saw nothing about TLS1.2.
Please tell us whether your SQL Server is 2012 as the tag displayed. If so, firstly, please check whether the patch for enabling TLS 1.2 is installed.
Next please check whether the update for client components and drivers are installed.
Please refer to the article: TLS 1.2 support for Microsoft SQL Server.
SQL Server in Windows also supports TLS1.0 and TLS1.1. If you want to use only TLS 1.2 for client-server communication, please disable TLS 1.0 and 1.1.
Please try to disable TLS1.0 1.1 and 1.2, then reboot your machine and test whether the connection can do well.
By the way, you can see the blog to verify if a connection to SQL Server is Encrypted.

Connection to SQL database failed because of an error in initializing provider

I am trying to connect to an internal SQL database which allows TLS 1.2 protocol only.
I am able to log-in to the database using the SQL Server Management studio.
I'd like to connect to that same database using Excel 2013 (for a more graphic report). I have read a lot on Excel having problems with TLS1.2 and the use of ODBC Driver instead since that is the only one which supports tls 1.2.
Sadly when entering the credentials and testing the connection we receive the following error:
TEST CONNECTION FAILED BECAUSE OF AN ERROR ININITIALIZING PROVIDER. UNSPECIFIED ERROR
Does anybody have experience with using Excel to connect to SQL Server using TLS1.2? Am I doing something wrong? I'm using the Data link: Microsoft OLE DB Provider for ODBC drivers. The normal SQL way of adding things doesn't work either but I believe that's because TLS1.2 isn't supported there.
If I recall correctly, Management Studio will connect on port 1433 by default and use the TDS protocol and really have nothing to do with TLS. So it is not surprising that it works in SSMS.
From https://blogs.msdn.microsoft.com/sql_pfe_blog/2017/09/27/microsoft-excel-tls-sql-server-important-considerations/
For all NEW workbooks, do not use that menu option. Instead use the
"From Data Connection Wizard" and select a compliant driver from the
list. A requirement is that you have the SQL Native Client (2008 or
2012) or ODBC drivers with appropriate patches per TLS 1.2 support for
Microsoft SQL Server below.
So it seems like just using ODBC will not work unless ODBC on your machine has been patched to handle TLS 1.2.
I believe the ODBC update you need is below.
https://www.microsoft.com/en-us/download/details.aspx?id=36434&751be11f-ede8-5a0c-058c-2ee190a24fa6=True

Enables TLS 1.1 and 1.2 on Windows Server 2k8 (non R2)

Has anyone been able to get TLS 1.1 or TLS 1.2 working on Windows 2k8 SP2 (non R2). The support just recently came out Microsoft Support. I have gone through installed the updated and did the registry entries and it doesn't appear to be enabled. Is there a way to check with out just looking at registry entries?
You could use https://www.ssllabs.com/ssltest to test that your IIS configuration has been updated.
The Security tab under Chrome's developer tools will also indicate what protocol, key exchange, and cipher suite are used.

SQL Server 2012 Compatibility with New TLS 1.2 Standards

I'm trying to switch off TLS 1.0 on my SQL Server 2012 server in order to comply with PCI standards.
Initially I had some trouble with the SQL Server service not starting.
I've found help online on other sites and discussions but I'm having mixed results:
This is what I've done so far:
I have downloaded SQL Server 2012 Cumulative Update 7 (CU 6 also works) and the SQL Server Service then starts correctly.
I had a problem not being able to sign in to the DB instance through SQL Server Enterprise Manager which was fixed by installing .Net 4.6.
Next problem, client computer running IIS Application is unable to connect to SQL instance because of a 'handshaking SSL error'. I followed advice and installed the latest SNAC native client.
This was difficult to track down and the latest version available as a download from Microsoft was from 2014. I then obtained sqlnclient.msi dated 9/7/2015 revision number {E6CB4138-3D1C-4ADC-95C4-88322B60FC14} from a sub folder generated by the extract of CU 7 - "Path to Extract Folder \1033_enu_lp\x64\setup\x64".
I've updated this version of the Native client on my IIS server (and .Net 4.6) and I'm still unable to connect remotely to the SQL instance. If I enable TLS 1.0 I'm able to connect.
The exact error I'm getting is 'A connection was sucessfully established with the server, but then an error occurred during the pre-login handshake'.
My diagnosis is I don't have the correct version of SNAC on my machine compatible with TLS 1.2 and the CU 7 as the client and server cannot handshake. However, this sqlnclient.msi was extracted from the CU 7 and I cannot find a more up to date copy.
Has anyone else experienced this problem? What version of the SNAC are you using? Where did you get it?
Thanks
As of January 29th, Microsoft SQL Server supports TLS 1.2 for SQL Server 2008, SQL Server 2008 R2, SQL Server 2012 and SQL Server 2014 and major client drivers like Server Native Client, Microsoft ODBC Driver for SQL Server, Microsoft JDBC Driver for SQL Server and ADO.NET (SqlClient).
Blog post about the release: http://blogs.msdn.com/b/sqlreleaseservices/archive/2016/01/29/tls-1-2-support-for-sql-server-2008-2008-r2-2012-and-2014.aspx
List of builds that support TLS 1.2 along with the client and server component download locations (KB3135244): http://support.microsoft.com/kb/3135244
Did you get the client update from the KB (https://support.microsoft.com/en-us/kb/3052468)
Package name: 2012_SP2_SNAC_CU6_3052468_11_0_5592_x64
Download link: http://support2.microsoft.com/hotfix/KBHotfix.aspx?kbnum=3052468&kbln=en-us
What is the provider name in your IIS site?
You will need the KB3052468 update both for the client and the server. They are available on the hotfix download link provided.

SQL Azure deployment security concerns

We are developing an application that uses a Windows Azure cloud service, and a SQL Azure database. We have an ASP .NET MVC project that uses database-first to create the entities in our Visual Studio solution. Now we need to deploy the database schema to Azure.
Currently this is not possible because our network blocks outbound access on port 1433, which is the only port SQL Azure is available on. We have asked our security team for permission to open port 1433 outbound, but they have some concerns:
There is unencrypted database traffic (port 1433) allowed at Microsoft's firewall over the internet for Azure. Although there is no sensitive information in the database, management credentials are probably in clear text if database credentials are not encrypted and can lead to defacement risks.
What network ports are opened at the internet firewall for access to the system hosting the website and database?
I believe the concern in the first question is that credentials for managing the Azure DB will be sent over on port 1433 unencrypted during deployment. For the second one, I think the answer is that we can configure endpoints to open whatever ports we want for our cloud service, but they are closed by default.
I did some research, but was unable to find any definitive answers on these questions from Microsoft, which makes me think we are asking the wrong questions. I would be interested in insight from anyone with more experience in this than I have.
SQL Azure only accepts encrypted (SSL) communication per the Security Guidelines and Limitations (Windows Azure SQL Database) article here: http://msdn.microsoft.com/en-us/library/windowsazure/ff394108.aspx
Encryption and Certificate Validation All communications between
Windows Azure SQL Database and your application require encryption
(SSL) at all times. If your client application does not validate
certificates upon connection, your connection to Windows Azure SQL
Database is susceptible to "man in the middle" attacks. To validate
certificates with application code or tools, explicitly request an
encrypted connection and do not trust the server certificates. If your
application code or tools do not request an encrypted connection, they
will still receive encrypted connections. However, they may not
validate the server certificates and thus will be susceptible to "man
in the middle" attacks. To validate certificates with ADO.NET
application code, set Encrypt=True and TrustServerCertificate=False in
the database connection string. For more information, see How to:
Connect to Windows Azure SQL Database Using ADO.NET. SQL Server
Management Studio also supports certificate validation. In the Connect
to Server dialog box, click Encrypt connection on the Connection
Properties tab. SQL Server Management Studio does not support Windows
Azure SQL Database in versions prior to SQL Server 2008 R2.
SQL Azure uses 1433 and 8443. The port requirements for Azure are available here: http://msdn.microsoft.com/en-us/library/windowsazure/jj136814.aspx
If you want to limit firewall traffic to and from specific IP addresses, the Azure datacenter IP ranges are available here: http://msdn.microsoft.com/en-us/library/windowsazure/dn175718.aspx
Some options (in addition to DarrelNorton's answer):
- you can use a dedicated SQL Server VM, then you can use port forwarding and the port issue is not a problem and you have additional firewall options and additional security software you can instal
- dedicated SQL VM allows you to take advantage of TDE (Trans. Data Encryption) in SQL Server or you can do more advanced encryption techniques that are not available in SQL Azure DB
- Dedicated SQL VM you are isolated from other MSFT clients. If you get hacked, you can re provision the VM from scripts
- you can use a Virtual Network connection between the MSFT data center and your local network if you are concerned about security (the VPN is encrypted)